Skip to main content
Vigorus
Vigorus
New Member
October 25, 2018
Question

Adding a new FortiGate firewall to an existing IPsec VPN connection.

  • October 25, 2018
  • 2 replies
  • 18507 views

Hi guys

Need your help, we have an existing IPsec VPN tunnels (cisco) between our main office and our branches (hub and spokes) Several days ago we acquired a new FortiGate 301E. Initially, we would like to just forward a web traffic through it. With the main office, I achieve this without problems both devices are in the same subnet. But I could not do the same with branches despite the fact that I forwarded all web traffic to a FortiGate local IP address.

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 25, 2018

    It would greatly help if you could put up a diagram showing sites and subnets.

     

    Generally, the FGT needs to know the route to a remote subnet or it will silently drop traffic from there. This is easy to overlook as traffic comes in OK (the remote router has a matching route), but traffic will die on it's way through the FGT. Make sure you have valid routes for all remote spoke subnets on the FGT.

    Vigorus
    VigorusAuthor
    New Member
    October 26, 2018

    Hi, ede_pfau. Thanks for so prompt response. Yeap sure. I added a general topology.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 27, 2018

    The FGT needs to have a port in the 20.20.2.0/24 subnet (which isn't shown in your diagram). And a route to '20.20.2.0/24' via this port and gw 20.20.2.2.

    As a rule: the gw needs to be within a local subnet. One subnet per port (or VLAN).

    Vigorus
    VigorusAuthor
    New Member
    October 27, 2018

    Thanks for the reply. Forgot to mention that we use PBR to forward all web traffic from one local subnet to another. In this scenario, I used PBR to forward all web traffic from 20.20.2.2 to 20.20.1.200 through VPN tunnel.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 27, 2018

    OK, still, the FGT needs to "know" where that traffic is coming in through, so it needs a static route back. Otherwise, if there is no route to traffic with a specific source address the FGT will silently drop the traffic.

     

    The 'route of last resort' a.k.a. default route usually points to the WAN interface. If traffic from 20.20.2.2 is not coming in through that interface (like in your case, it's coming in on the tunnel interface) then the default route does not apply - hence traffic is dropped.

    Vigorus
    VigorusAuthor
    New Member
    October 27, 2018

    You're right. I've already added a static route on FortiGate(all traffic destined to 20.20.2.0 it forwards to 20.20.1.2), and I can ping from one side (20.20.2.2) to another(20.20.1.200) and vice versa. The issue is that I can't make it work, I don't see any traffic on FGT from 20.20.2.2 despite the fact that I've already forward all traffic to it and add a filter to accept any packet from any source.

    Terms & ConditionsAccessibility statement